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(57) Abstract: In a packet radio network a packet data address is activated for a terminal for transmitting data packets between the 
terminal and an external network. Information on the activated packet data address is stored at least in the edge nodes of the network. 
To prevent spoofing, i.e. misrepresentation of sender data, the method and network node of the invention comprise checking (206) 
in the node whether the source address of the packet transmitted from the terminal is the same as the packet data address used in 
the transmission of the packet or does the source address belong to a set of allowed packet data addresses. The packet is transmitted 
(207) from the node towards the destination address only if the addresses are identical or the source address belongs to the set of 
allowed packet data addresses. 
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Prevention of spoofing in telecommunications systems 

BACKGROUND OF THE INVENTION 

The invention relates to prevention of spoofing in telecommunica- 
tions systems which are capable of transmitting packet data. In particular, the 
5 invention relates to preventing spoofing of sender data in IP (Internet Protocol) 
packets sent from a mobile station in mobile communication systems. 

Mobile communication networks function as effective access net- 
works which provide the users with access to the actual data networks for mo- 
bile data transmission. Mobile data transmission is supported particularly well 

10 by digital mobile communication systems, such as the pan-European mobile 
communication system GSM (Global System for Mobile Communication). In 
this application the term 'data' refers to any information transmitted in a digital 
telecommunications system. Such information may comprise digitally encoded 
audio and/or video, inter-computer data traffic, telefax data, short sections of 

15 program codes, etc. The mobile communication system generally refers to any 
telecommunications system which employs wireless communication when the 
users move within the service area of the system. A typical example of a mo- 
bile communication system is a public land mobile network PLMN. The mobile 
communication network is often an access network which provides the user 

20 with wireless access to external networks, hosts or services offered by specific 
service producers. 

One of the main goals in the development of the mobile communi- 
cation systems has been to offer an opportunity of using IP services via the 
mobile communication network so that the mobile station can also function as 

25 the host. This is possible in a general packet radio service GPRS, for example. 
The GPRS service provides packet data transmission between mobile data 
terminals and external data networks in the GSM system. To send and receive 
GPRS data, a mobile station has to activate the packet data address it wants 
to use by requesting a PDP (Packet Data Protocol) activation procedure. This 

30 operation makes the mobile station known in the corresponding gateway sup- 
port node, and thus interworking with the external data networks using the ac- 
tivated packet data address can be initiated. Similar solutions are also being 
designed for the 'third-generation mobile communication systems', such as the 
UMTS (Universal Mobile Communications System) and IMT-2000 

35 (International Mobile Telecommunications 2000). 
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Particularly in IF networks spoofing, i.e. forging of the source ad- 
dress of an IP data packet, is easy. In other words, the host transmitting the IP 
packet may pretend to be someone else and send packets in the name of A to 
B who sends a response to A. In that case both A and B will be interfered with. 
5 One solution to this problem is to use firewalls. In these the user is not, how- 
ever, authenticated but only source and destination addresses are monitored. 
In a firewall, source addresses are usually described with the accuracy of a 
subnetwork. Consequently, the firewall cannot know the real sender of the 
packet, and hosts in the same subnetwork can represent themselves as each 

10 other. Since the source addresses allowed in the firewall have to be known in 
advance and the mobile station must be able to move from the area of one 
firewall to the area of another without changing its IP address, the allowed 
source addresses of the firewalls in practice cover all mobile stations which 
are capable of accessing a subnetwork protected by the firewall. The problem 

15 caused by this is that the source address of the IP packet is not reliable and to 
prevent spoofing the mobile host has to be authenticated separately. Preven- 
tion of spoofing is particularly important when IP services for which the host is 
charged are used. A reliable authentication procedure may, however, increase 
the delay in the network or waste limited resources, i.e. the air interface, in the 

20 mobile communication networks. 

BRIEF DESCRIPTION OF THE INVENTION 

The object of the invention is to provide a method and an apparatus 
implementing the method so that a receiver of a data packet can rely on the 
fact that the source address of the data packet indicates the real sender of the 
25 packet. 

The objects of the invention are achieved with a method of pre- 
venting spoofing in a telecommunications system which comprises a terminal 
capable of transmitting data packets and at least one node for receiving and 
forwarding data packets in a first subsystem. The method comprises the fol- 

30 lowing steps of: activating in the first subsystem a packet data address for the 
terminal for transmitting data packets between the terminal and a second sub- 
system; storing the packet data address in at least one node of the first sub- 
system via which the data packets of the packet data address are routed; re- 
ceiving in said node the packet sent from the terminal, the packet comprising a 

35 destination address and a source address; checking in said node whether the 
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source address of the packet is the same as the packet data address; and 
transmitting the packet from the node towards the destination address only if 
the addresses are identical. 

The invention further relates to a method of preventing spoofing in a 
5 telecommunications system which comprises a terminal capable of transmit- 
ting data packets and at least one node for receiving and forwarding data 
packets in a first subsystem, the method comprising the following steps of: 
activating in the first subsystem a packet data address for the terminal for 
transmitting data packets between the terminal and a second subsystem; 

10 storing the packet data address in at least one node of the first subsystem via 
which the data packets of the packet data address are routed; receiving in 
said node the packet sent from the terminal, the packet comprising a destina- 
tion address and a source address; defining the packet data address as a set 
of allowed packet data addresses; checking in said node whether the source 

15 address of the packet belongs to the set of allowed packet data addresses; 
and transmitting the packet from the node towards the destination address 
only if the source address of the packet belongs to the set of allowed packet 
data addresses. 

The invention also relates to a network node of a packet network for 

20 transmitting data packets from a terminal of the packet network to a receiver, 
the network node being arranged to activate at least one packet data address 
for the terminal which the terminal can use when transmitting data packets, 
and to attach a packet received from the terminal to the packet data address 
used by the terminal. The network node is characterized in that in response to 

25 receiving a packet, the network node is arranged to compare the source ad- 
dress of the packet with the packet data address used by the terminal and to 
send the packet from the network node towards the destination address of the 
packet only if the addresses are identical. 

The invention further relates to a network node of a packet network 

30 for transmitting data packets from a terminal of the packet network to a re- 
ceiver, the network node being arranged to activate at least one packet data 
address for the terminal which the terminal can use when transmitting data 
packets, and to attach a packet received from the terminal to the packet data 
address used by the terminal. The network node is characterized in that the 

35 packet data address is defined as a set of allowed packet data addresses; and 
in response to receiving a packet, the network node is arranged to check 



WO 01/47179 



PCT/FI00/01114 



whether the source address of the packet belongs to the set of allowed packet 
data addresses of the packet data address used by the terminal and to send 
the packet from the network node towards the destination address of the 
packet only if the source address belongs to the set of allowed packet data 
5 addresses. 

The invention is based on the idea that, thanks to the packet data 
address activated for transmitting data packets, a gateway support node 
GGSN, for example, knows the packet data address of the mobile station 
which has sent the data packet. So the gateway support node GGSN only 
10 needs to compare the source address in the data packet with the packet data 
address used by the mobile station. If the addresses are identical, the address 
has not been forged and the packet can be forwarded to the destination ad- 
dress. 

An advantage of the invention is that it is very simple to implement, 

15 and yet it allows spoofing prevention. For example, the receiver of an IP 
packet can rely on the fact that the source address of the IP packet authenti- 
cates the sender of the IP packet. No additional authentication mechanism is 
needed, and consequently the network is not loaded, which allows to minimize 
the delay. The invention also facilitates implementation of chargeable services 

20 because the service producer can rely on the fact that the source address in 
the data packet indicates the user to be charged. 

In a preferred embodiment of the invention comparison is carried 
out in the gateway support node. An advantage of this embodiment is that the 
comparison mechanism is added to the elements the number of which is small 

25 in the network. 

In another preferred embodiment of the invention comparison is car- 
ried out in an edge node of the packet radio network serving the mobile sta- 
tion. An advantage of this embodiment is that the packet radio network is not 
loaded by transmitting packets which are not delivered in any way. 

30 In a preferred embodiment of the invention comparison is performed 

only on the packets which use a packet data protocol enabling spoofing, i.e. 
forging of the source address. An advantage of this embodiment is that com- 
parison is not performed in vain on packets the source address of which can- 
not be forged. 

35 Preferred embodiments of the method and network node of the in- 

vention are disclosed in the appended dependent claims. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The invention will be described in greater detail by means of pre- 
ferred embodiments with reference to the enclosed drawings, in which 

Figure 1 is a block diagram illustrating the network architecture of a 
5 GPRS service, and 

Figure 2 is a flow chart illustrating operation according to the inven- 
tion. 

DETAILED DESCRIPTION OF THE INVENTION 

The present invention is applicable to any packet switched system 

10 in which an individual packet data address is activated as in the GPRS system 
before it can be used and in the network infrastructure of which information is 
maintained on the user's active packet data address. These systems include 
the 'third-generation mobile communication systems', such as the Universal 
Mobile Telecommunications System (UMTS) and IMT-2000 (International Mo- 

15 bile Telecommunications 2000), mobile communication systems correspond- 
ing to the GSM system, such as the DCS 1800 (Digital Cellular System for 188 
MHz) and PCS (Personal Communication System), and WLL systems which 
are based on the above-mentioned systems and implement a GPRS-type 
packet radio. Furthermore, the invention can be applied in systems other than 

20 mobile communication systems, such as cable modem networks and similar 
fixed systems. The invention will be described in the following using the GPRS 
service of the GSM system as an example, but the invention is not limited to 
such a system. The definitions of mobile communication systems change rap- 
idly, which may necessitate additional changes to the invention. For this rea- 

25 son, all the terms and expressions should be interpreted broadly, and it should 
also be kept in mind that they are only intended to describe the invention, not 
to limit it. 

Figure 1 illustrates the network architecture of a GPRS service at a 
general level because a more detailed structure of the network is irrelevant to 

30 the invention. The structure and function of the GSM system are very familiar 
to a person skilled in the art. The structure of the GPRS service is defined e.g. 
in ETSI specification 03.60, version 6.0.0 (Digital cellular telecommunications 
system (Phase 2+); General Packet Radio Service (GPRS); Service Descrip- 
tion; Stage 2), which is incorporated herein by reference. The GPRS service 

35 comprises an access network which provides radio access and is represented 
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by the base station subsystem BSS of the GSM system in Figure 1. The 
GPRS service also comprises, as edge nodes, support nodes of the GPRS 
service for packet switched transmission of data between a packet data net- 
work PDN and a mobile station MS. The support nodes include a serving 
5 GPRS support node SGSN and a gateway GPRS support node GGSN. These 
support nodes SGSN and GGSN are interconnected by a backbone network 
1. It should be noted that the functionalities of the SGSN and the GGSN can 
also be physically combined into the same network node, in which case the 
operator's backbone network is unnecessary. Logically the nodes are, how- 

10 ever, separate nodes. 

The serving GPRS support node SGSN serves the mobile station 
MS. Each support node SGSN produces a packet data service for mobile data 
terminals, i.e. mobile stations MS, within the area of one or more cells in a 
cellular packet radio network. For this purpose, each support node SGSN is 

15 typically connected to the GSM mobile communication system (typically to the 
base station controller in the base station subsystem BSS) so that the inter- 
mediate mobile communication network provides radio access and packet 
switched data transmission between the SGSN and the mobile stations. In 
other words, the mobile station MS in a cell communicates with a base station 

20 over the radio interface and further through the base station subsystem with 
the support node SGSN to the service area of which the cell belongs. The 
main functions of the SGSN node are to detect new GPRS mobile stations in 
its service area, to carry out registration of new mobile stations MS together 
with GPRS registers, to send data packets to or to receive them from the 

25 GPRS mobile station and to maintain a file on the location of the mobile sta- 
tions MS within its service area. This means that the SGSN performs security 
functions and access control, such as authentication and encryption proce- 
dures. Using a unique tunnel the SGSN routes a packet received from the 
mobile station in encapsulated form over the GPRS backbone network to the 

30 GGSN node where the packet data address is activated. 

GPRS gateway support nodes GGSN connect the operator's 
GPRS network to the external systems, data networks, such as an IP network 
(Internet) or an X.25 network, and servers 2. The GGSN can also be directly 
connected to a private company network or to a host. In the example of Figure 

35 1, the GGSN is connected to the servers 2 via a reliable IP network 3 and to 
the Internet 4 via a firewall FW. The GGSN comprises GPRS subscribers' 
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PDP addresses and routing information, i.e. the SGSN addresses. The GGSN 
updates the location file using the routing information produced by the SGSN 
nodes on the route of the mobile station MS. The GGSN functions as a router 
between an external address and internal routing information (e.g. SGSN). In 
5 other words, the GGSN routes a protocol packet of an external data network in 
encapsulated form over the GPRS backbone network to the SGSN node 
which at the given moment is serving the mobile station MS. It also decapsu- 
lates the packet sent from the mobile station and transmits the packets of the 
external data network to the data network concerned. The GGSN may also 

10 transmit packets from one mobile station to another within the network. In ad- 
dition, the GGSN is responsible for billing of data traffic. 

The mobile station MS may be any mobile node which supports 
packet data transmission and has a radio interface to the network. It can be, 
for example, a laptop PC which is connected to a cellular phone capable of 

15 packet radio operation, or an integrated combination of a small computer and 
a packet radio phone. The other embodiments of the mobile station MS in- 
clude various pagers, remote-controllers, monitoring and/or data acquisition 
devices, etc. The mobile station may also be called a mobile node or a mobile 
host. 

20 To access the GPRS services, the mobile station first has to make 

its presence known to the network by carrying out a GPRS attach operation. 
This operation establishes a logical link between the mobile station MS and 
the SGSN node and makes the mobile station available for a short message 
over the GPRS or a similar message transmitted without a connection, paging 

25 via the SGSN and notification of incoming GPRS data. To put it more accu- 
rately, when the mobile station MS attaches to the GPRS network (in a GPRS 
attach procedure), the SGSN creates a mobility management context (MM 
context) and a logical link LLC (Logical Link Control) is established between 
the mobile station MS and the SGSN node in a protocol layer. The MM context 

30 is stored in the SGSN node and mobile station MS. The MM context of the 
SGSN node may contain subscriber data, such as the subscriber's IMSI, TLL! 
(Temporary Logical Link Identifier) and location and routing information, etc. 

To send and receive GPRS data, the mobile station MS has to acti- 
vate the PDP address, i.e. the packet data address, it wants to use by re- 

35 questing a PDP activation procedure. The PDP context can be activated when 
the mobile station attaches to the GPRS network. Alternatively, the mobile 
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station may activate the PDP context later or activation may be performed as a 
result of an activation request received from the GPRS network (GPRS net- 
work requested PDP context activation). The GPRS interface comprises one 
or more individual PDP contexts which describe the packet data address and 
5 the parameters related thereto. To be more precise, the PDP context defines 
different data transmission parameters, such as the PDP type (e.g. X.25 or 
IP), PDP address (e.g. IP address), quality of service QoS and NSAPI 
(Network Service Access Point Identifier). One mobile station can have several 
similar PDP addresses, e.g. different IP addresses as PDP addresses (that is, 

10 the mobile station has several IP-type contexts). For example, different IP ad- 
dresses, i.e. contexts, can be used for services of different quality and price 
transmitted using the IP protocol. The packet data address of the PDP context 
is either permanent (i.e. defined in the subscriber data of the home location 
register) or dynamic, in which case the GGSN allocates the packet data ad- 

15 dress during the PDP activation procedure. The PDP activation procedure ac- 
tivates the PDP context and makes the mobile station MS known in the corre- 
sponding GGSN node, and consequently interworking with external data net- 
works be initiated. During the PDP context activation the PDP context is cre- 
ated in the mobile station and in the GGSN and SGSN nodes. When the PDP 

20 context is being activated, the user is authenticated by means of GSM proce- 
dures, and thus the packet data address, e.g. IP address, given to the terminal 
in PDP context activation can be reliably attached to the user's identification 
code, e.g. IMSI (International Mobile Subscriber Identity). 

The PDP context is created and the packets tunnelled using a GTP 

25 protocol (GPRS Tunnelling Protocol). The mobile station MS activates the 
PDP context with a specific message, Activate PDP Context Request, in which 
the mobile station provides information on the TLLI, PDP type, requested QoS 
and NSAPI, and optionally on the PDP address and access point name APN. 
The SGSN sends a 'Create PDP Context' message to the GGSN node which 

30 creates the PDP context and sends it to the SGSN node. If the 'Activate PDP 
Context Request' message (and the 'Create PDP Context' message) does not 
include the PDP address, the GGSN will allocate the PDP address during the 
creation of the PDP context and include a dynamic PDP address in the PDP 
context to be sent to the SGSN. The SGSN sends the PDP context to the mo- 

35 bile station MS in an 'Activate PDP Context Response' message. The PDP 
context is stored in the mobile station MS, SGSN node and GGSN node. In 
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the serving SGSN node, each PDP context is stored together with the MM 
context. When the MS roams to the area of a new SGSN node, the new SGSN 
requests the MM context and PDP contexts from the old SGSN node. 

Thus, in the PDP context activation procedure a virtual connection 
5 or link is established between the mobile station MS and the GGSN node. At 
the same time, a unique tunnel is formed between the GGSN and the SGSN 
for this PDP context and packet data address. The tunnel is a route which the 
IP packet follows and by means of which a packet transmitted from the mobile 
station is attached to a certain PDP context and certain packet data address in 

10 the GGSN. In other words, the tunnel is used for identifying the packet data 
address the mobile station used when it sent the packet. The packet is at- 
tached to a certain PDP context either with a TID (Tunnel Identifier) or with a 
tunnel end point identifier when the GTP protocol is used. The TID contains an 
NSAPI and an IMSI. During the PDP context activation procedure the GGSN 

15 may allocate the tunnel end point identifier to be used to point the PDP con- 
text. 

Figure 2 is a flow chart illustrating operation according to a first 
preferred embodiment of the invention in the gateway support node GGSN. In 
the first preferred embodiment of the invention, the source address included in 

20 the packet is compared with the activated packet data address only in the PDP 
contexts the type of which enables spoofing. These include IP-type contexts 
and packet data addresses. These types (or type) are defined in the node 
which performs the comparison. In the example of Figure 2 it is assumed that 
spoofing is possible only with IP addresses and does not succeed with other 

25 packet data address types. It is also presumed that the mobile station has ac- 
tivated the PDP context used by it, i.e. assumed an IP address, for example, 
and sends an IP packet e.g. to the server 1 illustrated in Figure 1 or to the In- 
ternet 4. It is further presumed that the TID is used to identify the tunnel. 

Referring to Figure 2, in step 200 the GGSN receives a packet us- 

30 ing a unique tunnel, decapsulates it in step 201 and extractsthe tunnel identi- 
fier TID in step 202. In step 203 the GGSN retrieves, by means of the TID, 
PDP context information of the PDP context corresponding to the TID. The 
information includes the packet data address, i.e. PDP address, which is rep- 
resented by an IP address in this example Then in step 204 the GGSN checks 

35 whether the PDP context (i.e. packet data address) corresponding to the tun- 
nel is of the IP type. If it is, the GGSN extracts the source address given in the 
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title of the packet in step 205 . When the GGSN knows both the addresses, it 
compares them in step 206. If the source address is the same as the PDP ad- 
dress of the PDP context, the mobile station is the one it claims to be in the IP 
packet, and consequently the GGSN forwards the packet in step 207. If the 
5 source address differs from the PDP address, the mobile station pretends to 
be another mobile station, and therefore the GGSN rejects the packet in step 
208. Here rejection means that the packet is not sent to the destination ad- 
dress. 

What happens to the packet after rejection depends on the opera- 

10 tor's definitions and is irrelevant to the invention. For example, the user and 
the terminal may be notified of the source address not being what it should be 
by using control plane signalling. The GGSN, for example, may also send an 
alarm message to the operator's network operations and maintenance centre. 
It is also possible to make an entry containing the PDP context information 

15 and packet information into an error log file. The content of the rejected 
packet may also be written into the error log file. Furthermore, yet another op- 
tion for notifying the user and the terminal of the false source address is to 
deactivate the PDP context that was used to send the fraudulent packet. The 
PDP context is deactivated in the GGSN, SGSN and MS, e.g. so that the 

20 GGSN requests the SGSN to deactivate the PDP context (or if it is the SGSN 
that rejects the packet, the SGSN will send the deactivation request to the 
GGSN) and the SGSN requests the MS to deactivate the PDP context. The 
deactivation request messages preferably include, as a cause code, a specific 
deactivation code indicating that the MS or an application in association with 

25 the MS has used a false or fraudulent source address. As a result of the spe- 
cific cause code the user is notified of the attempt to use the false source ad- 
dress. The main reason for using this notification is that either the user is dis- 
couraged from cheating or the user is notified of an application using the false 
source address. Preferably, the notification to the end user is a text message 

30 or a message window identifying the application that attempted to transmit 
data with the false source address. The above described actions may also be 
carried out only after a predetermined amount of fraudulent packets have been 
rejected. When the MS is notified of the use of the false source address, the 
message, which the GGSN, for example, sends to the MS and/or to the op- 

35 erator's network and maintenance centre, may preferably carry some informa- 
tion on upper layer protocol (e.g. TCP or UDP) headers of the packet which 
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had the false source address. This facilitates finding of the fraudulent applica- 
tion and the purpose of the fraudulent activity. The messages may even con- 
tain the entire content of the rejected packet(s).The packet flow of rejected 
packets may even be forwarded to an external node such as the operator's 
5 network operation and maintenance centre. 

If it is noticed in step 204 that the PDP is not of the IP type, the 
GGSN will move directly to step 207 and forward the packet. 

The purpose of the check in step 206 is to make sure that only 
packets the sender of which has not pretended to be someone else are for- 

10 warded to external networks by the GGSN. Only a simple check is sufficient 
for authenticating the sender according to the invention, and there is no need 
for authentication signalling. 

In another preferred embodiment of the invention the check of step 
206 is performed in the SGSN and step 201 is omitted because the packet 

15 received from the mobile station is not encapsulated. In the other preferred 
embodiment , the SGSN extracts, in step 202, the TLLI and the NSAPI from 
the packet it received from the MS instead of the TID. The TLLI uniquely iden- 
tifies the MS, and thus the IMSI, within the routing area. The NSAPI identifies 
the PDP context used by the MS with this packet. Using the TLLI and the 

20 NSAPI the SGSN retrieves the PDP context information. In the other preferred 
embodiment the TID (or other corresponding information identifying the PDP 
context) is added to the packet and the packet is encapsulated before step 
207, i.e. before the packet is sent to the GGSN. 

In the future, an address space of PDP addresses might be related 

25 to one PDP context or to a corresponding connection definition. The address 
space can be a list of allowed PDP addresses, for example. In that case it is 
sufficient that the source address included in the packet is among the allowed 
addresses. Similarly, in the future, the PDP context information may specify 
the allowed PDP address as a set of allowed addresses (i.e. address space) 

30 by defining part of the allowed PDP address. In that case the source address 
in the packet has to comprise the defined part of the address, i.e. the source 
address has to belong to the set of allowed addresses. The address space 
may also be defined by using both methods described above. The address 
space can be defined in some other way, too. 

35 In embodiments where several packet data address types enabling 

spoofing are defined, it is checked in step 204 whether the packet data ad- 
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dress used in the packet is one of these. If it is, we continue from step 205. 
Otherwise we move to step 207. 

In some preferred embodiments of the invention the source address 
included in the packet is compared with the activated packet data address re- 
5 gardless of the type of the activated packet data address. In that case the 
check of step 204 is not performed, but the check of step 206 is performed on 
each packet. 

The order of steps shown in Figure 2 may differ from what has been 
described above and the steps can also be performed simultaneously. For 

10 example, step 204 can be performed before step 201 and step 203 simultane- 
ously with step 205. Between the steps it is possible to carry out steps which 
are not shown in the figure. In some embodiments step 201 and/or 204 can be 
omitted. In step 202 some other information identifying the PDP context can 
be extracted instead of the TID. 

15 In addition to the means needed to implement the service according 

to the state of the art, the telecommunications system, telecommunications 
network and network node implementing the functionality according to the pre- 
sent invention comprise means for comparing the address included in the 
packet with the address/addresses activated, i.e. allowed, for the sender of the 

20 packet. Existing network nodes comprise processors and memory which can 
be utilized in the functions according to the invention. All changes needed to 
implement the invention can be carried out as additional or updated software 
routines and/or by means of application circuits (ASIC). 

Even though it has been explained above that the edge element of 

25 the network (SGSN or GGSN) authenticates the subscriber, the invention is 
not limited to the edge elements. Another network node in which the address 
information needed for comparison is stored can also perform the comparison. 

It should be understood that the above terms 'packet data protocol 
PDP' or 'PDP context' generally refer to a state in the terminal (e.g. in a mobile 

30 station) and to at least one network element or functionality. The state brings 
about a transmission path, i.e. a tunnel, having a specific number of parame- 
ters for data packets via the network used by the terminal (e.g. a mobile com- 
munication network). The term 'node' used in this specification should be in- 
terpreted as a term generally referring to a network element or functionality 

35 which processes data packets transmitted via the PDP tunnel. 
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It should be understood that the above description and the figures 
related thereto are only intended to illustrate the present invention. It will be 
obvious to the person skilled in the art that the invention can be modified in 
various ways without deviating from the scope and spirit of the invention dis- 
5 closed in the enclosed claims. 
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CLAIMS 

1. A method of preventing spoofing in a telecommunications system 
which comprises a terminal capable of transmitting data packets and at least 
one node for receiving and forwarding data packets in a first subsystem, the 

5 method comprising the following steps of: 

activating in the first subsystem a packet data address for the ter- 
minal for transmitting data packets between the terminal and a second sub- 
system; 

storing the packet data address in at least one node of the first sub- 
10 system via which the data packets of the packet data address are routed; 

receiving in said node the packet sent from the terminal, the packet 
comprising a destination address and a source address; 
characterized by 

checking (206) in said node whether the source address of the 
15 packet is the same as the packet data address; and 

transmitting (207) the packet from the node towards the destination 
address only if the addresses are identical. 

2. A method of preventing spoofing in a telecommunications system 
which comprises a terminal capable of transmitting data packets and at least 

20 one node for receiving and forwarding data packets in a first subsystem, the 
method comprising the following steps of: 

activating in the first subsystem a packet data address for the ter- 
minal for transmitting data packets between the terminal and a second sub- 
system; 

25 storing the packet data address in at least one node of the first sub- 

system via which the data packets of the packet data address are routed; 

receiving in said node the packet sent from the terminal, the packet 
comprising a destination address and a source address; 
characterized by 
30 defining the packet data address as a set of allowed packet data 

addresses; 

checking (206) in said node whether the source address of the 
packet belongs to the set of allowed packet data addresses; and 
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transmitting (207) the packet from the node towards the destination 
address only if the source address of the packet belongs to the set of allowed 
packet data addresses. 

3. A method according to claim 1 or 2, characterized in that 
said node is the gateway support node of the first subsystem which routes the 
data packet from the terminal to the second subsystem. 

4. A method according to claim 1 or 2, characterized in that 
said node is a support node which serves the mobile station and routes the 
packet received from the terminal forward in the first subsystem. 

5. A method according to any one of the preceding claims, char- 
acterized in that the first subsystem is a packet radio network which uses 
a GTP protocol and in which the packet data address is activated by activating 
the corresponding PDP context. 

6. A method according to any one of the preceding claims, char- 
acterized by the method further comprising the following steps of: 

maintaining information on first packet data address types in said 
node, the information including at least one packet data address type on which 
said check is performed; and 

performing said check only if the packet data address is of the first 
packet data address type. 

7. A method according to claim 6, characterized in that the 
first packet data address type includes at least an IP address according to the 
Internet protocol. 

8. A network node (SGSN, GGSN) of a packet network for transmit- 
ting data packets from a terminal (MS) of the packet network to a receiver (2, 
4), the network node (SGSN, GGSN) being arranged to activate at least one 
packet data address for the terminal which the terminal can use when trans- 
mitting data packets, and to attach a packet received from the terminal to the 
packet data address used by the terminal, characterized in that 

in response to receiving a packet, the network node (SGSN, GGSN) 
is arranged to compare the source address of the packet with the packet data 
address used by the terminal and to send the packet from the network node 
towards the destination address of the packet only if the addresses are identi- 
cal. 

9. A network node (SGSN, GGSN) of a packet network for transmit- 
ting data packets from a terminal (MS) of the packet network to a receiver (2, 
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4), the network node (SGSN, GGSN) being arranged to activate at least one 
packet data address for the terminal which the terminal can use when trans- 
mitting data packets, and to attach a packet received from the terminal to the 
packet data address used by the terminal, characterized in that 
5 the packet data address is defined as a set of allowed packet data 

addresses; and 

in response to receiving a packet, the network node (SGSN, GGSN) 
is arranged to check whether the source address of the packet belongs to the 
set of allowed packet data addresses of the packet data address used by the 
10 terminal and to send the packet from the network node towards the destination 
address of the packet only if the source address belongs to the set of allowed 
packet data addresses. 

1 0. A network node according to claim 8 or 9, characterized 
in that the network node (SGSN, GGSN) is arranged to maintain information 

15 on first packet data address types on which said comparison is performed and 
to perform the comparison only if the packet data address used by the terminal 
is of the first packet data address type. 

1 1 . A network node according to claim 8, 9 or 10, character- 
ized in that the network node is a gateway support node (GGSN) of a 

20 packet radio network (GPRS) using a GTP protocol. 

1 2. A network node according to claim 8, 9 or 10, character- 
ize d in that the network node is a support node (SGSN) serving the terminal 
in a packet radio network (GPRS) using a GTP protocol. 
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